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Abstract 

We study private quantum channels on a single qubit, which encrypt 
given set of plaintext states P. Specifically, we determine all achievable 
states p'°) (average output of encryption) and for each particular set P 
we determine the entropy of the key necessary and sufficient to encrypt 
this set. It turns out that single bit of key is sufficient when the set P is 
two dimensional. However, the necessary and sufficient entropy of the key 
in case of three dimensional P varies continuously between 1 and 2 bits 
depending on the state p' ' . Finally, we derive private quantum channels 
achieving these bounds. We show that the impossibility of universal NOT 
operation on qubit can be derived from the fact that one bit of key is not 
sufficient to encrypt qubit. 



1 Introduction 



Quantum cryptography |14l 15*] (for a popular review see [Tf5]) is a rapidly de- 
veloping branch of quantum information processing. The results of quantum 
cryptography include quantum key distribution "5J I12| , quantum secret sharing 
|19l*9"]. quantum oblivious transfer "2J[n"" and other cryptographic protocols |17| . 
Quantum cryptography has two main goals: solutions to classical cryptographic 
primitives, and quantum cryptographic primitives. 

The first goal is to design solutions of cryptographic primitives, which achieve 
a higher (provable) degree of security than their classical counterparts. The 
degree of security should be better than the security of any known classical 
solution, or it should be of the degree that is even not achievable by using 
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classical information theory at all. Another alternative is to design a solution 
which is more efficient 1 than any classical solution of comparable security. 

The second class of cryptosystems is motivated by the evolution of appli- 
cations of quantum information processing, regardless whether their purpose is 
cryptographic, communication complexity based or algorithmic. These cryp- 
tosystems are designed to manipulate quantum information. As applications of 
quantum information processing start to challenge a number of their classical 
counterparts, the need to secure quantum communications in general is get- 
ting more urgent. Therefore, there is a large class of quantum primitives which 
should secure quantum communication in the same way as classical communi- 
cation is secured. These primitives include encryption of quantum information 
using both classical and quantum key |2J|> authentication of quantum 

information [2] , secret sharing of quantum information (UJ I15| , quantum data 
hiding and even commitment to a quantum bit oblivious transfer of 
quantum information and others. 

In this paper we concentrate on the encryption of quantum information with 
classical key pQ described and explained in Section [21 At the end of Section [3 
we introduce notation and one theorem we will be using through the remaining 
sections. To begin our analysis, in Section[3]we investigate for a given set P the 
set of all possible states p^ such that there exists a private quantum channel 
E with the property V/? € P : E(p) = p^> and we determine that it forms a 
ball within the Bloch sphere centered in In the Sections 0}[7| we derive all 
possible private quantum channels for a given set P and state p^ and analyze 
necessary and sufficient entropy of the key of such PQC. We also explicitly 
construct PQCs achieving this bound. Another interesting result contained in 
Section is that any PQC encrypting given set P of two linearly independent 
states encrypts also any two-dimensional set P' parallel to P and lying in the 
plane spanned by P and |l. 

We conclude our paper in Section [S] by few comments on possible general- 
izations of the described techniques to systems of higher dimension. 



2 Private quantum channel 

The private quantum channel is a general framework designed to perfectly 
encrypt an arbitrary quantum system using a classical key. 

Definition 2.1. Let P C 5(7^1,. ..,„) be a set of n-qubit states 2 , E = {(pi, Ui)}i 
be a superoperator, where each Ui is a unitary operator on < m, 

Pi > 1 and YliPi — 1- Let p anc be an (m — n) qubit density matrix and p^ 
be an m-qubit density matrix. Then [P, E, p anc , p^} is a private quantum 

According to time, space or communication complexity. 
2 To make the definition easier we work with qubits. To obtain an equivalent definition for 
arbitrary quantum systems A it suffices to replace Hi n by Ha an d H n +l,...,m by Hanc- 
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Figure 1: Encryption using PQC. 



channel (PQC) if and only if for all p £ P it holds that 



E(p®p anc ) = y^PjUjjp® Panc)U} = p' 



(1) 



The definition of the private quantum channel establishes the following cryp- 
tosystem. Alice wants to establish a communication (quantum) channel with 
Bob with the property that any state p £ P will be transmitted securely. The 
security in this case means that Eve gets no advantage (information) by inter- 
cepting the transmitted message. 

The encryption of the plaintext is done in the way that one operator, chosen 
randomly out of the operators {Ui\i, is applied to the plaintext system. The 
operator U% is chosen with probability pi. The classical key specifies which 
of the unitary operators was applied. The unitary operators Ui are acting on 
^i,...,m, while the state p is only n-qubit state. The encryption operation Ui is 
performed on the Hubert space 7ii,..., m , the plaintext space is a subspace 

of 7ii....,m- The encryption operation is defined on the (possibly) larger space 
than the plaintext to allow optional encryption of the plaintext together with an 
ancillary system. The encryption operators, therefore, act on a tensor product 
of the plaintext Hilbert space Hi,..., n and the ancillary Hilbert space Hn+i,...,m, 
which is originally factorized (decoupled) from the plaintext. The ancillary 
Hilbert space is initially in the state p anc (see Figure 

The security of the scheme can be explained in the following way: Without 
knowledge of the key (i.e. without specific knowledge about which of the oper- 
ators was used) any initial state p £ P together with the ancilla appears to be 
in the state p^ 1 after the encryption. The state p^ is the same for all p £ P, 
it is independent of the input state. It means that all states from the set P are 
physically indistinguishable after the encryption. 

A dual point of view of the security is also possible. Let us denote by 
C = E[P] the set of all ciphertexts, i.e. pf = UipU} £ C for each encryption 
operation Ui and plaintext state p £ P. The encryption key (represented by 
the sequence ii,...,i n ) is used also for the decryption. The only difference 
in the case of the decryption is that the inverse operations Uj are applied, 

( c) i ( c) 

i.e. p\ i— ► Uj pi Ui = p £ P. Formally the decryption procedure induces 
a transformation D[p] = ^iPiU} pUi. It describes the result of a decryption 
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of a particular ciphertext without knowledge which key was used to encrypt 
it. The probabilities {pi}i are the same as in the case of Eq. because the 
probability that the key Ui was used is pi. In general, each encryption operation 
Ui defines a different set of ciphertexts Gj. The linear span is just rotated 
set of plaintexts P. 

From Eq. Q it follows that the information about the ciphertext contained 
in the plaintext is I{pp : pc) = 0. However, from the symmetry of the mutual 
information it follows that the information about plaintext contained in the 
ciphertext is also 0, therefore, the dual equation also holds 

T){p) = Y,PiU ] i{p)U i = p( l \ (2) 

i 

where p^ is fixed for all ciphertext states p. The superoperator D = {(pi, U^i)}i 
is not an inverse of the superoperator E in the standard meaning. It describes 
the result of a decryption of a particular ciphertext without knowledge which 
key was used to decrypt it. 

From the mathematical point of view the encryption transformation E is 
defined as a convex combination of unitary maps. Using the ancilliary system the 
encryption can be still defined only in terms of the system under consideration. 
Tracing out the ancilla we obtain a map E s with the action defined by E s [p] — 
Tr Qnc E[p (g) pane]- The usage of ancilla results in most general form of the 
quantum channel, i.e. E s [p] = J2iPi^i[p] witn g 4p] = Tr mc [l/,/)« } J anc 
However, for the decryption the ancilliary system is necessary. In this paper 
we will analyze PQC without additional ancillas, so the encryption is formally 
a convex combination of unitary transformations. It means the encryption is 
described by a unital completely positive map, i.e. it preserves the total mixture 

Finally, we will introduce one definition and one theorem, which will be used 
through this paper. 

Definition 2.2. Let P = {pi\i £ I}, where I is an index set. We define the set 
P as 



\p = J2 Al <°* ^ e P, A, e M, ^ A t = l i 
I iei iei J 



(3) 



Especially in the case when P = {pi, P2} the set P contains all operators of the 
form Api + (1 — X)p2- 

From now on we will denote the maximally mixed state 3 in P as "p. 

Theorem 2.3. Let [P, E, pW] be a PQC. Then E(p) = p( *> for any operator p £ 
P . Note that we are interested only in operators p with nonnegative eigenvalues, 
since the operators with negative eigenvalue(s) are not valid quantum states. 

Proof. The proof follows from the linearity of E. □ 



3 Le. the state nearest to the maximally mixed state ^1 according to the trace distance. 
It is also the nearest state in the Bloch ball. 
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3 Achievable states 



In this section we will derive several results on PQC on a single qubit. Our first 
question is 'What are the possible states p^ given a specific set P?'. In pQ it 
was proved that the only possible candidate for the state p^ is |l, whenever ^1 
can be expressed as a convex combination of states from P. We will generalize 
this result for any set P to calculate the minimal entropy of the key necessary 
and sufficient to encrypt a specific set P. 

All information about the action of E we have is its behaviour on the set of 
plaintexts P. Each element of this set is transformed into the fixed state p(°\ 
This determines the channel E completely, or incompletely depending on the set 
P. However, in the case of incomplete specifications the choice of the channel E 
has no impact on the security. Under the action of the channel E each operator 
p 6 P is transformed into p(°\ This follows directly from the linearity of the 
transformation E. 

Let us assume a PQC given by operators {(pi,Ui)}i with some p^°K By 
applying the unitary transformations U- — VUi (V is unitary) we obtain that 
Eift^iP^ = Y. l V i yV iP U\V^ = Vp^V^ = p' (0) is fixed for all plaintext 
states. It follows that the unitarily transformed PQC is again a PQC with 
unitarily transformed average output state. Moreover, a convex combination of 
two PQC channels Ei, E 2 for the given set P is again a PQC channel for P. In 
particular, E = ttiEi + 7r 2 E 2 is PQC with = 7Tip* 0) +7r 2/ 9 2 0) , i.e. E[p] = 
for all p £ P. Thus, for a given set of plaintexts P the set of all possible private 
quantum channels is convex. The set of achievable states is convex as well. It 
is formed by orbits of states under the action of the whole unitary group. 

For any TCP map E the following inequality holds 

D{p,a)>D{ti{p)M°)) (4) 

for the distance measure D(p, a) = Tr|p — a\ on mixed states, i.e. two quantum 
states p, a cannot become more distinguishable after applying a TCP trans- 
formation. We have already mentioned that we consider that the encryption 
superoperator E is unital (we do not consider the ancilla here) and therefore 
from Eq. (0J we have 

D(p,il)>D(>,il), (5) 

where p e P is any state in the set P and p^ = E(p) is fixed for all states 
p € P. We use the fact that for unital maps E[^l] = ^1. Especially this 
equation holds for the state /?, which is the most mixed density operator in P 
(the nearest point to 5 1 in the Bloch ball). 

Therefore the condition is that given the set of plaintext states P any achiev- 
able state p(°) fulfills the condition 

D (7^1) > ^ (/^l) ■ (6) 
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As a consequence, we obtain the result of pp that the state p^ = |l whenever 
^1 is contained in the convex span of the set P. 

Provided that the most mixed state p in P is not ^1, the state p' ' must 
have the same or a smaller distance from ^1 than "p. This is the necessary 
condition each candidate to the state p^ must obey. In this sense the set of 
potential candidates p(°> forms a ball within the Bloch ball, with the center in 
^1 and the radius given by the distance of p and ^1. Let us denote this ball 
(set of allowed states) by b. This condition is necessary, it remains to verify 
whether it is also sufficient, i.e. whether for a given P and V G b there 
exists a suitable TCP superoperator E p ( > , or equivalently whether the set of all 
achievable states coincides with those allowed by inequality (JSJ . 

In what follows we will analyze the achievability of p(°' . Let us first consider 
two trivial cases. When P has only a single member, then there is nothing 
to encrypt. If the set P contains at least four linearly independent members, 
then P already spans the whole Bloch ball and |l € P. It follows that the 
PQC maps all states to ll, so the set of achievable states contains only single 
element. In subsequent sections we will analyze the remaining two cases: i) set 
P is two-dimensional, and ii) set P is three-dimensional. 

In Sect ions we will adopt analytical approach to prove that for all states 
p(°) £ b given a set of plaintext states P there exists a PQC sending the set P 
to p' '. In Section we will analyze concrete PQC realizations as well as the 
minimal entropy of the key for a given set P and p^ . We will show an easily 
understandable geometrical method how to construct PQCs for encryption of 
the given set of plaintexts. 

4 General remarks 

In our analysis we will exploit the geometric picture of the Bloch ball (see 
Appendix). In both cases we will define specific representatives of the set of 
plaintexts P. We will choose the basis of the state space as four operators £j 
represented by mutually orthogonal Bloch vectors Vj. In particular, we will 
rotate the coordinate system (this rotation is just unitary change of the basis 
operators) to work with not necessarily positive, but trace-one operators 

e, = l(i+0s y ) - 

£, - 1(1 + S z ) <-> 
& = |l 

The S-basis is just a suitably rotated c-basis (basis consisting of Pauli opera- 
tors), i.e. Sj — UiJjW for some unitary U. 

This new operator basis shares all the properties of the original Pauli basis. 
In fact, the operators S x ,S y ,S z specify only a rotated Cartesian coordinate 
system. Each private quantum channel E induces a contraction of the given 
set P into the state p(°\ Our first aim is to explicitly specify the maximally 



v x = (a, 0,0) 
v y = (0,/3,0) 
v z = (0,0,1) 
v = (0,0,0) 
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mixed state in p S P. The second goal will be to show the achievability of 
this state, i.e. the construction of the PQC that transforms the whole set of 
plaintexts states into the state p^ having the same mixedness (i.e. distance 
from il) as p. In particular, = VpV^ (V is unitary). Let us denote by s 
the mixedness of p. Then the PQC E p (o) acts (in a suitably chosen basis) as 
follows: E p (o) = = + s ■ S z ) for all £j e P. Its action on the linear 
complement of P must be defined in a way that the whole transformation is 
TCP. The existence of such PQC will be proved in subsequent sections. 



5 Two states 

Given two linearly independent states P = {pi,p2} the set P defines a line 
crossing the Bloch sphere in two pure states, e.g. \ipi), \ip2}- The mixedness of 
p\ = Xpi + (1 — X)p2 (i.e. the distance from the total mixture) is characterized 
by the length of the corresponding Bloch vector f\. In particular, |r*A| 2 = 
A 2 |ri| 2 + (1 — A) 2 |r*2| 2 + 2A(1 — A)ri • r 2 can be easily minimized (with respect to 
A) providing that we use two pure states <-» fj. In this case |fi| = |r 2 | = 1 
and f i • r*2 = |fi| • 1 7^2 1 cos9 with 9 £ [0, 7r] being an angle between the vectors. 
The minimum we obtain by calculating the equation 

-jr[X 2 + (1 - A) 2 - 2A(1 - A) cos 8] = 2(2A - 1)(1 - cos6>) = (8) 
The minimum is achieved for A = 1/2, i.e. for the equal mixture of two pure 



states from P and reads |r m i n | = y 5(1 + cos#). For general (nonpure) states 
pi <-> r*i and p 2 <-» r 2 the state p\ = Xpi + (1 — A)p 2 is maximally mixed for the 
value A = (|r 2 | 2 - r x ■ r 2 )/|fi - r 2 | 2 . 

Let us assume that the state \t\)\) corresponds to the North Pole of the Bloch 
ball and the y coordinate of |i/> 2 ) vanishes, i.e. we choose the operator basis 
S x ,S y ,S z such that = 5(1+^) and 1^2X^2 1 = 5(1 

+sin 9S X +cos 9S Z ) . 

In other words, the state l^) is represented by the vector f 2 = (sm9, 0, cos^). 
The norm of the vector f\ is minimal for A m ; n = 1/2, i.e. r m j n = (| sin0, 0, 2 (1 + 

cos 9)) with norm |r m i„| = \J + cos 9). 

The possible quantum private channels form a set 



E 



f 1 \ 

i(l-cos0) a isin6» 

6 

\ isin6» c i(l + cos6») / 



(9) 



and the complete positivity with respect to parameters a, b and c must be 
verified. Our aim is to find at least one valid TCP transformation. Therefore, 
let us consider that only the parameter b is nonvanishing 4 (i.e. we set a = c = 0). 

4 We will show that even in this particular case there exists a completely positive superop- 
crator. 
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In this case the matrix is symmetric, so the singular values coincide with the 
eigenvalues that read 

{Ai,A 2 ,A 3 } = {1,6,0}. (10) 

The complete positivity constraint jl.'ij requires the validity of the following 
inequalities 

1 + Ai-A 2 -A 3 >0 => b<2 (11) 
1-Ai + A 2 -A 3 >0 =*> b>0 (12) 
1-Ai-A 2 + A 3 >0 => b<0 (13) 
1 + Ai + A 2 + A 3 > => b > -2. (14) 

It turns out that the only possibility to satisfy these conditions is that the value 
of b must set to zero, i.e. b — 0. As a result, we get that the channel E with 
b = is for sure completely positive for all values of cos 0. Consequently, for 
two linearly independent states the derived bound on the choice of the state 
p(°) is achievable. The achievability of the states inside the ball b we obtain 
from the fact that the set of PQCs encrypting given set P is convex as well as 
the set of all achievable states, see Section [21 Later we will specify the unitary 
transformations forming the private quantum channel explicitly. 



6 Three linearly independent states 

In case the set P = {pi,p 2 ,p 3 } contains precisely three linearly independent 
states, the set P forms a plane and valid quantum states from this plane (the 
intersection with the Bloch ball) form a circle c. Since all points of the ball b, 
containing all possible candidates for the state p(°\ have the distance from ll 
the same or smaller than the most mixed state from c, it follows that the circle 
c touches the ball b precisely in the middle of the circle c. Moreover, this point 
~p = p^> is the most mixed state from c. 

To solve the general case explicitely, we will exploit the tools of analytic 
geometry. A plane determined by three points A = B = r*2, C = r 3 reads 
ax + by + cz + d — 0, where 

d = det(ri r 2 r 3 ) (15) 
a = det(TV 2 r 3 ) (16) 
b = det(fi 1 r 3 ) (17) 
c = det(fi r 2 f). (18) 

The symbol 1 = (1, 1, 1) T denotes a column vector. The distance from the origin 
of the coordinate system (the total mixture) equals to 

- M (19) 



yfa 2 + b 2 + c 



This number coincides (if s < 1) with the distance between the maximally mixed 
state pg P and the total mixture. It follows that we can use directly the given 
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set of plaintext states {pi,p2, pz} as the basis. However, for our purposes it will 
be useful to choose operators £1, £2, £3 € P of the form given in Eq. @. Let us 
assume that the set P does not contain the total mixture. In this case 

a = j3 b = a c = d = a(3 (20) 

and 

s=\s\= , M (21) 

The question is, whether the transformations £j 1— > pf ' = ~(1 + s ■ S z ) = E[£j] 
is completely positive, or not. Due to the unitality of the PQC channels, the 
transformation E is completely specified as 



E 



/ 1 \ 





\ s/a s//3 s J 



(22) 

Our task is only to verify the condition of complete positivity. The singular 
values of E reads {Ai, A2, A3} = {0, 0, s« 1 + \ + 4j}. It follows that the map 



is completely positive if and only if < 1— syl + ^ + ^p-. Inserting the derived 
result for the value of s into this complete positivity constraint, we find that it 
is always satisfied, because 



(xi-ji+y * 1- - m x r a2+ f 2 +p2 =1-1=0. 

a 2 I3 2 y/p* + a 2 + {3 2 a 2 V 

(23) 

As a result we obtain that it is always possible to define private quantum 
channel so that the norm bound is saturated and the state p^ 1 = ~p is achievable. 
Let us note that the value of s is always less than 1, which is in agreement with 
the fact that p^ is a quantum state (it belongs to the Bloch ball). The fact 
that for a given set of states P it is always possible to find a unital channel E 
such that V p € P : E(p) = p^°\ where p^ is the closest state to the total 
mixture belonging to the linear span of the set P, is interesting per se. 

The case when p 1 - ' lies inside (not on the surface) the ball b we obtain again 
from the convexity of the set of private quantum channels as discussed in Section 

m 



7 Realizations of PQC and entropy of the key 

So far, we studied the existence of PQC with states for a given set of 
plaintexts P. Next we will analyze the optimal realizations of these private 
quantum channels, i.e. we will ask the question: how many classical bits one 
needs to design the PQC. These classical bits represent the key that must 
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be shared between sender and receiver to perfectly encrypt/decrypt the quan- 
tum states from plaintext. The efficiency of PQC is quantified by the entropy 
(H(p) = — J2jPj 1°§2 Pj) 01 the probability distribution of unitary transforma- 
tions that specify the length of the shared classical key. ft is known that the 
ideal realization of PQC for general qubit states requires two bits. It is realized 
by arbitrary collection of four unitary transformations {Uk}k satisfying the fol- 
lowing orthogonality condition Tr(UjUk) — 26jk- Each of these transformations 
is applied with the same probability p — 1/4, i.e. H (p) — 2. 

Each private quantum channel E is a convex combination of unitary trans- 
formations. Our task is to find a representation for arbitrary PQC, which is op- 
timal. The action channel E can be written in the form E[p] = U$ & [V pV 1( }W ', 
where U, V are unitary transformations. For qubit unital channels the induced 
transformation $g is diagonal, i.e. = diag{l, Ai, A2, A3}. It turns out that 
these transformations are of a simple form and can be written as convex com- 
bination of four Pauli transformations 

®eIp\ = POP + PxVxPVx +Py<JyPVy + Pz^zP^z (24) 

Consequently, the original transformation E is realized by four unitary trans- 
formations Wj = UdjV, i.e. E[p] = ^ZjPjWjpW^ j. Since the probabilities do 

not change, the PQCs E and <f>g can be realized with the same entropy. In fact, 
this holds in general: two unitarily equivalent PQCs can be always realized with 
the same efficiency, i.e. with the classical keys of the same entropy. Thus, it 
is sufficient to analyze the optimality of the realization of Pauli channels $g. 
Finding the singular values corresponding to E we obtain the diagonal elements 
Ai,A2,A3 of $g. The probabilities pj are related to these values A& via the 
following equations 

Px = iCL + Ai-Aa-Aa) 
P y - I(l-Ai + A 2 -Aa) 
Pz = l(l-Ai-A 2 + A 3 ) 

PO = 1 - Px - Py - Pz 

The entropy rate of the given PQC H(E) = H(p), p — {pj}j, is given 
by the entropy of the distribution p. Let p = Pj\ipj){ipj\, where {IV'j)}^ 
is a set of not necessarily orthogonal quantum states. It follows that S(p) = 
S(^2j Pjl^j) (ipj\) < H{p) and the inequality is saturated if and only if {\ipj)}j 
are mutually orthogonal. Let us consider any pure plaintext state |?/>) and let 
= Uj\ip). It is clear that 

S(E(|^|)) = S(p) = S (p(°>) < H{p). (26) 

Therefore the entropy of the encryption operation can always be bounded from 
below by the entropy of p^ as long as P contains at least one pure state. 
This always holds in the case of qubit, however, not in general for systems of 
larger dimension. In example in the case of two qubits we can define the set 
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(25) 



P = {1/41, 1/2(|00)(00| + |11)(11|)}. It is clear that P contains no pure state, 
it is encrypted by the superoperator 

{(1/2,1), (1/2,1® a x )} (27) 

and p(°) = ±1. 

The limit 1|26JI is saturated only if the encoding operators Uj generate mu- 
tually orthogonal (noncommuting) states (ciphertexts) for each given plaintext. 
In particular, if we consider a PQC for all possible states of a qubit, this limit 
can be achieved only (up to unitary equivalence) by encoding with the identity 
and the universal NOT operation. However, this map is not completely positive, 
and therefore unphysical [Jj. 

Next we shall study the realization of PQC when the set of plaintexts is 
two-dimensional and three-dimensional, respectively, and the state p' ' is the 
maximally mixed one from the set P. For two-dimensional set of plaintexts the 
induced transformation is $g = diag{l, 0, 0, 1}, i.e. Ai = A2 = and A3 = 1. It 
follows that 

= 2 P+ 2 azp(Xz (28) 

and one bit is sufficient for encoding. 

One can specify the precise form of unitary transformations, but the explicit 
calculation is quite lengthy. Instead, we will use the geometric picture of Bloch 
sphere to guess the unitaries. 

Two states 

Let us suppose that the set P = {pi,/?2} has only two (linearly independent) 
states. By Theorem 12.31 it also encrypts any state on the line segment I C P 
defined by the points corresponding to the states pi and p2 in the Bloch ball. 
Let us choose the state p^ as the point where the line segment I touches the 
ball 5 b (see fig. EJ, i.e. //°' = p. It is clear that this point is in the center of the 
line segment I, since the extremal points of this line segment are on the surface 
of the Bloch ball. 

We will design a specific superoperator E, which encrypts this line segment 
to the state p(°> . This superoperator can be realized using two unitary operators 
with uniform distribution, 

&{p) = ^lpt + hjpU\ (29) 

where U is the unitary operation, which realizes the rotation of the Bloch ball by 
180 degrees around the axis intersecting points p^ and ^1. It is easy to see that 
such a superoperator takes any state p from I to a convex combination of the 
original state p and the state which lies on the line I in the same distance from 

5 Of possible candidates to the state p( '. 
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Figure 2: Encrypting line segment I. 



p^ , but on the opposite half line (starting in the point p^ ) . The consequence 
is that the convex combination 

\p+\uprf=pW. (30) 

The way to achieve any other point lying on the surface of the ball b is straight- 
forward. For any such point p'^ there exists a two dimensional rotation 
R„(o) , P '(o), which rotates the point p^ to the point p'(°\ This rotation is real- 
ized by some unitary operation U p (o) p/ (o) on the density operators. Therefore, 
the superoperator encrypting the whole line segment I into the point p'^ is 

Mp) = t;U p (o) tP ,( )lplU^ p( o) >p /(o) + ^U p (o) :P ,( )U pU^'U'' p (o) tP , m . (31) 

This superoperator has again Kraus decomposition with only two unitary op- 
erators, and therefore only a single bit of key is needed. The method how to 
achieve any p'^ 6 b (not only on the surface) is based on the method of en- 
cryption of three linearly independent states and will be discussed later in this 
section. 

In this way we have demonstrated that one bit of key is sufficient to encrypt 
set P containing two linearly independent states. It remains to verify whether 
one bit is also necessary. There might e.g. exist some encryption operation 
{(p 1 ,U 1 ),(p 2 ,U 2 )},Pi + P2 = ^ Pi encrypting the set P. Clearly the 

entropy of the key of such an operation is smaller than one. We will prove that 
one bit is necessary by showing that any encryption superoperator E encrypting 
a line I encrypts also the line I', which is parallel to I and intersects ^1. Then the 
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Figure 3: Encryption of I encrypts also I'. 



derived inequality (|2l))l implies that one bit is indeed necessary, since 5(^1) = 1. 
Also, E can be used to encrypt a classical bit ({|0), |1)}) and this result is in 
accordance with [2*fi| . 

Let us denote pi and pn the extremal points of the line segment I (lying on 
the surface of the Bloch ball, see figure OJ) and p' x and p' 2 the extremal points 
of the line segment V . Let us express each of the points p' x and p' 2 as a linear 
combination of the points pi, p 2 and ^1. It is easy to see that the coordinates 
of the points satisfy 

p'x = xpi +yp2 + z-t p 2 = ypi + xp 2 + z^t. (32) 

This relation holds for extremal points of any line segment parallel to I and 
lying in the plane spanned by I and il. Let E encrypts I to some state p' '. 
Then from linearity and unitality of E we obtain 

E(p[) = xE( Pl ) + yE(p 2 ) + z\ = yE( Pl ) + xV(p 2 ) + z\ = E(p' 2 ) (33) 

since E(pi) = E(/?2) = P^ from assumption that E encrypts I. It follows that 
E encrypts any line segment parallel to I lying in the plane spanned by I and 
±1. 

From Eq. I|33(l we can also easily determine the state p'^ = E(p' 1 ), i.e. the 
state where E sends the line segment It is the state p^ shifted towards 
from the equation 

E(pi) = xE(pi) + yE(p 2 ) + z\ = (x + y)pW + z\. (34) 
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Figure 4: Encryption of the circle c. 



The ratio between (x + y) and z determines the distance from it. 

We can also derive an analogical result for PQC encrypting a circle in the 
Bloch sphere. In this case the fact that it also encrypts all parallel circles 
implies that this PQC establishes an approximative encryption of the whole 
Bloch sphere, as defined in ^H]. Also, in general, PQC encrypting any set P in 
any Hilbert space encrypts also all spaces parallel in the superplane spanned by 
P and jl. This will be discussed in detail in a separate paper. 

Three states 

In case the set P contains precisely three linearly independent states p\ , P2 , P3 , 
their linear span is a plane and valid quantum states from this plane (the in- 
tersection with the Bloch ball) form a circle c (see figure 0}. Since all points of 
the ball b, containing all possible candidates for the state p^ , have the distance 
from ^1 the same or smaller than the most mixed state from c, it follows that 
the circle c touches the ball b precisely in the middle of the circle c. Moreover, 
this point p = p^ is the most mixed state from c. 

Following analogical argumentation as in the case of the two states, we con- 
struct the TCP superoperator, which encrypts the whole circle and sends it to 
p( '. This superoperator is the same as in the case of two states, it is the su- 
peroperator (|29|) . The operator U is the rotation around the axis of the circle 
c. The saturation of any other point on the surface of the ball b is the same as 
in the case of two states, see Eq. <j!HT) . 

Using this result we may also design a PQC, which encrypts a set P of 
two linearly independent states into the arbitrary state p^ inside the ball b 
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Figure 5: Encryption of the line I with D(p (0) , 1/21) < D(p, 1/21). 



by using just single bit of key. The ball b is now specified by the given line I 
associated with the set P. The state p^ specifies uniquelly a sphere g of the 
radius r = D(p^> , ^1), centered in total mixture and containing this state on its 
surface. There exists a tangent plane k to this sphere determined by the original 
line I. This plane is generated by three linearly independent states and following 
the reasoning of this subsection, it can be encrypted into its maximally mixed 
state by PQC with H(E) = 1. However, the maximally mixed state equals 
to the only point in the intersection of the plane with the sphere (see figure 
EJ. This point is unitarily equivalent to p(°\ It means that the original set P 
given by two linearly independent states (forming the line in the plane, I G k) is 
encrypted by the same PQC (up to unitary transformation) into the state p^ . 

Let us now proceed with the analytic approach to see how large key is re- 
quired to encrypt the set P into arbitrary state p^ € b. For three-dimensional 
set of plaintexts we have a unique PQC that transforms P into the state 
p(°K The singular values of the corresponding mapping E reads {Ai, A 2 , A3} = 

{0,0, sJl + ^2 + ^2}. It follows that 

Po= Pz = (l + yi + 4, + ^ /4 

Px=Py = (1-^1 + ^ + ^/4 

The parameter s corresponds to the distance between the state p^ and the 
total mixture. It is bounded by the inequality s < , Except the 

case when this inequality is saturated we need four unitary transformations 
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to realize the PQC. For maximal value of s two unitary transformations are 
sufficient. Moreover, they are used with equal probabilities. It means that 
the limiting case (p' ' = p) for two-dimensional and three-dimensional set of 
plaintexts has the same entropy rates. 

If you examine the dependence of the probabilities {pi}i on the parameter 
s, then you realize that to encrypt three states a single bit of key is sufficient if 
is on the surface of the ball b (see the beginning of this section). However, 
as the state p' ' is getting closer to ^1, the entropy of the key grows up to two 
bits. 

The key question is whether the derived bound on entropy of PQC encrypting 
the given set of three linearly independent states is also necessary, i.e. whether 
it is possible for given P and p^ design a PQC with lower entropy of key 
than in the derived example. Let us recall the proof that one bit of key is 
necessary to encrypt the set of two linearly independent plaintexts, see Section 
It immediately follows that one bit is also necessary to encrypt plaintext 
containing at least three linearly independent states. 

The final step is to prove that also the entropy of the private quantum chan- 
nel encrypting three dimensional set P, with D(p(°\ il) < D(jj, il), realized 
using the Pauli channel is minimal. Let us introduce the entropy exchange 
Sex{pA, E) 22] as the quantity measuring the part of quantum information 
which is lost into the environment under the action of the channel E providing 
that the system is initially prepared in the state pa- Provided that the channel 
E on the system A is realized using unitary operation G on a larger system 
AE, where E is the environment, the entropy of exchange is defined as the von 
Neumann entropy of the reduced density matrix of the environment after apply- 
ing the operation G. It turns out that this entropy is independent of concrete 
realization of the superoperator. 

In particular, any channel E has unitary representation E^p^] = Tr^ [G(pA® 
\Q){Q\)G^} = Y,j A jPA Af j with G = J2j A j®\j){°\- lt is known that the entropy 
of the environment state uj e = Tr A [G(p A <S> |0)(0|)G t ] = *£jk ^[ A jPA A h]\j) (k\ 
does not depend on the particular Kraus representation. 

In our case this function is the lower bound of the entropy of the key 
H({pk}k), i-e. H({pk}k) > maxp A S ex (p,~E). This inequality follows from the 
fact that S(oje) < ^(diagg^^]) 6 (definition of von Neumann entropy as mini- 
mum of Shannon entropy ovel all measurements) and for PQC channels we have 
diag B [w£;] = ^ k pk^\UkPAU^ k]\k){k\. Using the the trace properties and nor- 
malization of pa we obtain diag B [tpE] = {pk}k, i-e. S(di&g B [cj E ]) = H({p k }k)- 

In what follows we will show that for qubit the inequality is saturated for 
decomposition into orthogonal unitaries, i.e. for Pauli channels. From the previ- 
ous paragraph it is clear that it is sufficient to show that for some p the induced 
enviroment state lue is diagonal. Hence, we have to verify the conditions under 
which the identity Ti[UjpU'k] = holds for j ^ k. In such case the inequality 
is saturated. It is easy to see that by choosing p — ^1 this is the condition for 

6 The diagg^g] is the all-zero matrix except for the diagonal elements, which are equal to 
diagonal elements of lo^ in the basis B. 
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orthogonality of transformations Uj and this justifies our statement. 

We have shown that for orthogonal decomposition of the channel E the 
entropy of the inequality is saturated, i.e. entropy of the key equals to entropy 
exchange and this is indeed the maximal value of entropy exchange. Fortunately, 
the entropy exchange does not depend on the particular decomposition and 
therefore the entropy of the key cannot be lower for another decompositions. 
It turns out that for qubits any unital channel can be written as a convex 
combination of orthogonal unitaries. However, for larger systems this is not the 
case in general. Consequently, the qubit PQC channel with minimal entropy of 
the key is the one with orthogonal encoding operations, i.e. the corresponding 
Pauli channel <I>g. 

The necessary and sufficient entropy of the key is 1 when = ~p and it 
grows up to 2 bits as the state approaches |l. Therefore, it is natural to 
express the entropy as a function of the parameter 



J(p (0) ,l/21) 



(36) 



where the radius of the Bloch ball is 1. 

Let us use the parametrization of states p\ , p2 , pz € P introduced in the 
Eq. Q and put s = £>0 (0) , 1/21) and p = D{p, 1/21) = \a(3\/ a/I + a 2 + /3 2 . 
Comparing it with the Eq. (|35[l we obtain that the probabilites reads po — p z — 
j(l + r) and p x — p y = \{1 — r), where we used the relation r = s/p. The 
evaluation of the entropy for this realization of PQC channel leads us to formula 



H({p 3 }j) = ~ log 2Pj = 2 - i [(1 + r) log 2 (l + r ) + (1 - r) log 2 (l - r)] , 

(37) 

where < r < 1. It is easy to see that 1 < H({pj}j) < 2. The graph of the 
function H ({pj}j) depending on the variable r is on the FigureEJ Unfortunately, 
as we see from the graph, the entropy grows very fast as r goes to 0. In example 
for r = 1/2 the entropy is already H({pj}j) w 1.81128. 



8 Conclusion 

All single-qubit private quantum channels 

In this paragraph we will answer the following question: which unital maps 
constitute a PQC? We have shown that it is sufficient to consider only Pauli 
channels, i.e. the maps $g = diag{l, Ai, A2, A3}. Nontrivial private quan- 
tum channels are characterized by the property, that at least two pure states 
l^i)) ^2) are mapped into the same state p^°\ In the Bloch sphere parametriza- 
tion (f = (r x , r y ,r z )) this means that fi 1— > r[ = s and r*2 1 — ^ ~ Using these 
relations and explicit form of the Pauli channel we come to the following "PQC" 
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Figure 6: Dependency of the entropy on the variable r. 



conditions = — r^, i-e. Xj{r\j — r 2 j) = for all components j = x, y, z. This 
equality is satisfied only if Xj — for some j, or r\j — r 2 j- Consider the case 
when none of the As vanishes, i.e. X1X2X3 7^ 0. It follows that in order to fulfill 
the PQC conditions r\j — r 2 j for every j. But it means that the states are the 
same. Therefore, at least one of the parameters must vanish. Otherwise the 
transformation does not correspond to private quantum channel. The complete 
positivity condition restricts the possible values of Ai , A2 (we put A3 = 0) so that 
the inequality |Ai ± A2 1 < 1 characterize all the possible qubit private quantum 
channels. 

Multi-qubit generalization 

This result can be generalized for a specific class of multi-qubit states. In each 
of the n qubits we choose a set of plaintexts Pfc in the corresponding Bloch ball. 
Each of the qubits can be encoded by PQC : P^ 1— » pf\ Following the single 
qubit results, we design a PQC on each of the qubits, which encrypts any state 
of the form 



where Vi : fn € K, J2i Mi = 1 an d Vi, k : p]/ G Pfc- Let us denote the set of such 
states by P. Note note that this set contains entangled states as well, because 
not only convex combinations of factorized states are allowed. The values of 
[ii are arbitrary. Consider for instance two qubits. Using PQC encryption for 
P = S(H) on each qubit enables us to encrypt each two-qubit (even entangled) 
quantum state. 

Other implications 

In this paper we derived the restriction that the state of the private quantum 
channel can be any state which has the distance from the maximally mixed state 
il the same or smaller than the state ~p, where p denotes the most mixed state 




(38) 
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in the linear span of P. We showed that any of these states can be achieved in 
the case of the qubit and therefore this condition is also sufficient. 

Further, we demonstrated that it is enough to use a single bit of key to 
encrypt the set P, which is spanned by two linearly independent states, and 
that any state of the previously described candidates to the state p^ ' can be 
achieved. We derived the same result for the set P containing three linearly 
independent states, but with the restriction that a single bit of the key suffices 
provided that the state p^ has the same distance from 1/21 as the state p. As 
the distance of the state p^ to |l approaches 0, the necessary and sufficient 
entropy of the key approaches 2. 

As a special consequence of our derivation we obtain the result of that 
the state p^ = |l when |l is in the convex span of P and two bits of the 
key are needed to encrypt a qubit. Another special consequence of the above 
derivations is the result of that to encrypt real combinations of two orthogonal 
basis states it is necessary and sufficient to use a single bit of key. These real 
combinations form a circle on the surface of the Bloch ball with center coinciding 
with the center of the Bloch ball. 

Moreover, from the discussion in Section HJ it follows that the impossibility 
of universal not operation on qubit |S| can be derived from the fact that one 
bit of the key is not sufficient to encrypt a qubit. 
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A Bloch sphere and qubit channels 

Qubit (two-dimensional quantum system) provides us a very simple and illustra- 
tive picture of the state space. Any state can be expressed as a linear combina- 
tion of the operators {1, a x , a y , a z }. In particular, each operator p — ^(l + r-cr) 
has a unit trace and if \r\ < 1, then it is also positive. Consequently, the state 
space forms a ball with the unit radius. The equivalence p <-> r is called Bloch 
sphere representation (see for instance Refs. |22l I24| ^l. From the orthogonality 
relation Tvakcri = 25ki the parameters of state are given by a simple formula 
f = Trpcr, i.e. as the mean values of the hermitian operators (measurements) 
o~x,o- yi a z . 

Let us describe the relation between the density operators S(Ti) (three- 
parametric subset) embedded in four-dimensional space of Hermitian operators 
and the Bloch sphere contained in three-dimensional space. Let us denote by 
Pj (j = 1, 2, 3, 4) the basis of this space corresponding to four density operators. 
The vectors fj represents the associated points in the Bloch sphere (in three 
dimensional real vector space). Only trace-preserving linear combinations, i.e. 
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p = J2j a jPj with J2j a j — 1 f° r rca l a ji can be understand as linear combi- 
nations of the vectors within the Bloch sphere picture, i.e. f — ^2jO-j^j- In 
fact, Bloch sphere is situated in the three-dimensional space of Hermitian oper- 
ators with unit trace, but only special linear combinations ■ aj = 1) of Bloch 
vectors has its counterparts in the original space of Hermitian operators. 

The structure of qubit channels is known mainly due to work of Ruskai et al. 
|20l I25j . Let us now briefly present a corresponding geometrical picture. From 
the mathematical point of view |221 1^ the channels are described by linear 
trace-preserving completely positive maps E defined on the set of operators. 
The complete positivity is guaranteed if the operator fig = (E ® 1)-P+ is a 
valid quantum state 7 . Any qubit channel E can be illustrated as an affine 
transformation of the Bloch vector r, i.e. r^r' = Tf+t, where T is a real 3x3 
matrix and t is a translation. This form guarantees that the transformation E 
is hermitian and trace preserving, but the complete positivity conditions define 
(nontrivial) constraints on possible values of parameters. In fact, the set of all 
completely positive trace-preserving maps forms a specific convex subset of all 
affine transformations. 

Any matrix T can be written in the so-called singular value decomposition, 
i.e. T = RijDRy with Rjj,Ry corresponding to orthogonal rotations and D = 
diag{Ai, A2, A3} being diagonal with A& the singular values of T. This means 
that any map E is a member of less-parametric family of maps of the "diagonal 
form" <&g. In particular E[p] = t/<&g[VpV^]l^ with U,V unitary operators. 
The reduction of parameters is very helpful, and most of the properties (also 
complete positivity) of E is reflected by the properties of <I>g. The map E is 
completely positive only if $g is. Let us note that is determined not only 
by the matrix D, but also by a new translation vector f — Rut, i.e. under the 
action of the map $g the Bloch sphere transforms as follows rj 1— ► r'- = Xjrj+Tj. 

A special type of completely positive maps are the unital ones, i.e. those 
for which the total mixture (center of the Bloch sphere) is preserved. For these 
channels the translation term vanishes, t = t = 0, and the Bloch sphere is 
"shrinked" without shifting its center. In this case the analysis of all possible 
channels is quite simple, because the induced map <j>g is uniquely specified only 
by three real parameters. Positivity of the transformation <i>g corresponds to 
conditions |A/-| < 1, i.e. all points lying inside a cube. The conditions of com- 
plete positivity 1201 12H] demands the validity of the following four inequalities 
|Ai ± A2I < 1 1 =b A3 J . This specifies the tetrahedron lying inside a cube of all 
positive unital maps with extremal points being four unitary transformations 
1, cr x , a y , a z . 

It follows that each unital map is unitarily equivalent to the map of the form 
$g = diag{l, Ai, A2, A3}. The set of all unital channels is convex. Obviously 
the unitary channels are extremal points of this set. Let us consider a Pauli 
channel P[p] = 'Y^k'PkVkPVk-, i-e. a general convex combination of four Pauli 
unitary transformations. Rewriting this action in the Bloch sphere parameters 

7 P+ is a projection onto maximally entangled state \4>+) = -ts{\00) + 
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we obtain the transformation 



P = 



V 



o 






Vz) 






l-2(p x + Pz ) 




(39) 



l-2( Px + Py ) J 



As a result we get that unital channels are unitarily equivalent to Pauli channel. 
Consequently, each unital channel E can be written as a convex combination 
of (at least) four unitary channels. The probabilities are determined by the 
parameters of the induced map <I> E 



Px = i(l + Ai-A 2 -A 3 ) 

Py = I(l-Ai+A 2 -A 3 ) 

p z = l(l-Ai-A 2 + A 3 ) 

PO = 1-Px-Py-Pz- 



(40) 



Unitary channels are rotations of the Bloch sphere. Unital channels are 
rotations combined with the deformation so that the output states form an 
ellipsoid centered in the total mixture. The values Xj define the size of the 
ellipsoid along three main axes. 
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